Fake files on Github might be malware - even from "Microsoft"

Reading time icon 2 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Key notes

  • Hackers exploit GitHub comments to upload malware disguised as trusted files.
  • Download links appear legit by including uploader’s name (e.g., Microsoft).
  • No current fix for developers, disabling comments hurts collaboration.

Security researchers have identified a vulnerability in GitHub’s comment file upload system that malicious actors are exploiting to spread malware.

Here’s how it works: When a user uploads a file to a GitHub comment (even if the comment itself is never posted), a download link is automatically generated. This link includes the name of the repository and its owner, potentially tricking victims into thinking the file is legitimate because of the trusted source affiliation.

For instance, hackers could upload malware to a random repository, and the download link might appear to be from a well-known developer or company like Microsoft.

The malware installers’ URLs indicate they belong to Microsoft, but there is no reference to them in the project’s source code.

https://github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip

https://github[.]com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip

This vulnerability doesn’t require any technical expertise; simply uploading a malicious file to a comment is enough.

For example, a threat actor could upload a malware executable in NVIDIA’s driver installer repo that pretends to be a new driver fixing issues in a popular game. Or a threat actor could upload a file in a comment to the Google Chromium source code and pretend it’s a new test version of the web browser.

These URLs would also appear to belong to the company’s repositories, making them far more trustworthy.

Unfortunately, there’s currently no way for developers to prevent this misuse besides disabling comments entirely, which hinders project collaboration.

While GitHub has removed some malware campaigns identified in reports, the underlying vulnerability remains unpatched, and it’s unclear if or when a fix will be implemented.

More here.

User forum

0 messages